Security updates are an integral part of the IT-world. Linux may be regarded as one of the securest computer operating systems, but that doesn't take away the fact that it too has vulnerabilities that need to be fixed through timely security updates. In general, we need to apply Linux security updates within 30 days of being released.
We've already discussed how to setup automatic security updates on CentOS. And now, in this tutorial, we will show you how to step-by-step configure Ubuntu 16.04 server for automatic security updates. So when there is an update about security packages, the system will automatically download packages and apply the update.
What we will do
- Install unattended-upgrades on Ubuntu 16.04
- configure unattended-upgrades
- Enable automatic updates
- Check updated packages
Prerequisites
- Ubuntu 16.04 Server
- Root privileges
Step 1 - Install unattended-upgrades on Ubuntu 16.04
The first thing we must do is to install the 'unattended-upgrades' package in the system. It's available in the Ubuntu repository, and we can install it using the apt command.
Login to your server using SSH login.
ssh root@hakase-labs
Update all repositories and install 'unattended-upgrades' using the apt command below.
sudo apt update
sudo apt install unattended-upgrades
After the installation, we need to edit the configuration in the '/etc/apt/apt.conf.d' configuration directory.
Step 2 - Configure unattended-upgrades
The unattended-upgrades configuration is available in the '/etc/apt/apt.conf.d' directory. We need to edit the configuration to define the update/upgrade type, blacklist updates, and configure some additional configuration.
Go to the '/etc/apt/apt.conf.d' directory and edit the configuration file '50unattended-upgrades' using the vim editor.
cd /etc/apt/apt.conf.d/
vim 50unattended-upgrades
Define upgrade type
We need to define a type of update/upgrade for the system. The unattended-upgrades package provides some automatic upgrades type, including updating all packages and just security updates. For this guide, we only want to enable the 'security' update for Ubuntu 16.04 system.
On the first block configuration 'Allowed-Origin', comment all lines and leave only the security line, as shown below.
Unattended-Upgrade::Allowed-Origins {
// "${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
// Extended Security Maintenance; doesn't necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
// "${distro_id}ESM:${distro_codename}";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
Blacklist Packages
For the second block, it's blacklisted packages configuration. We can define which packages are allowed for an update and which are not. Sometimes, we do not want some packages to be updated because it's critical to the system for whatever reason.
In this section, we just want to give an example of blacklist packages configuration. So, suppose we do not want 'vim', 'mysql-server' and 'mysql-client' to be upgraded, in that case, our blacklist configuration should similar to the one shown below.
Unattended-Upgrade::Package-Blacklist {
"vim";
"mysql-server";
"mysql-client";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};
Additional Configuration
Next, we want to add and enable some features provided by unattended-upgrades. We want an email notification for every update, enable auto remove unused packages (apt autoremove automatically), and enable automatic reboot if needed.
For email notification, uncomment the following line.
Unattended-Upgrade::Mail "root";
Note:
Make sure mailx or sendmail packages are installed on your system. You can use the following command to install the mail application.
sudo apt install -y sendmail
To enable auto remove unused packages, uncomment the following line and change the value to 'true'.
Unattended-Upgrade::Remove-Unused-Dependencies "true";
And for an automatic reboot after upgrade (if needed), uncomment the 'Automatic-Reboot' and change value to 'true'.
Unattended-Upgrade::Automatic-Reboot "true";
After setting up 'Automatic-Reboot', the server will automatically reboot after all updates packages installed. We can, however, configure the reboot time of the server by uncommenting the corresponding configuration line and change the reboot value. Here is my configuration.
Unattended-Upgrade::Automatic-Reboot-Time "00:00";
Save and exit.
The unattended-upgrades package is installed, and all configuration has been completed.
Step 3 - Enable automatic updates
To enable automatic updates of packages, we need to edit the auto-upgrades configuration.
Go to the '/etc/apt/apt.conf.d' directory and edit the configuration file '20auto-upgrades' using vim.
cd /etc/apt/apt.conf.d/
vim 20auto-upgrades
Make the configuration as below.
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "3";
APT::Periodic::Unattended-Upgrade "1";
Save and exit.
Note:
- Update-Package-Lists: 1 enable auto update, 0 for disable.
- Download-Upgradeable-Packages: 1 enables auto download package, 0 for disable.
- AutocleanInterval: Enable auto clean packages for X days. The configuration shows 3 days auto clean packages.
- Unattended-Upgrade: 1 enables auto upgrade, 0 for disable.
At this stage, all of the security updates will be automatically downloaded and then installed in the system.
Step 4 - Check updated packages
Checking unattended-upgrades logs
To identify all updated packages, we need to check unattended-upgrades logs located in the '/var/log/unattended-upgrades' directory.
Go to the '/var/log/unattended-upgrades' directory and check available logs.
cd /var/log/unattended-upgrades
ls -lah
You will get 3 log files.
- unattended-upgrades-dpkg.log - Unattended-upgrades action logs for updating, upgrading or removing packages.
- unattended-upgrades.log - Unattended log file. List of update/upgrade packages, list blacklist packages, and the unattended error message (if there is an error).
- unattended-upgrades-shutdown.log file.
Update Notification
Another way to identify updated packages is by looking for the update notification on SSH login.
The following screenshot shows server notification before security updates are applied.
And when all security packages get updated, the following message is displayed.
Email Notification
For email notifications, we've setup notification to root email.
Go to the '/var/mail' directory and check the root email file.
cd /var/mail/
cat root
We can identify things like blacklisted packages, updated packages, and removed packages.
Reboot check
For reboot check, you can use the following command.
last reboot
Following is the result before all security packages are upgraded.
And here's the result after upgrades.
The unattended-upgrades package has been installed and configured for automatic security updates. And it's working with auto reboot enabled as well as email notification enabled.